Vulnerability and information security investment: An empirical analysis of e-local government in Japan

Anderson, R.J., 2001. Why information security is hard: An economic perspective. In: 17th Annual Computer Security Applications Conference Applegate, L.M., Montealegre, R., 1991. Eastman Kodak Co.: Managing Information Systems through Strategic Alliances. Case 9-192-030, Harvard Business School Beattie, S. et al., 2002. Timing the application of security patches for optimal uptime. In: Proceedings of LISA 2002, 3–8 November, Philadelphia, pp. 233–242 Brown, 2003, Does IT matter?, Harvard Business Review, 81, 109 CIO Council, 1999. Federal Enterprise Architecture Framework ver. 1.1 Commonwealth of Australia, 2003. Interoperability Technical Framework for the Australian Government Davenport, 1993 Davenport, 1990, The new industrial engineering: Information technology and business process redesign, Sloan Management Review, 31, 11 Drucker, 2002, They’re not employees, they’re people, Harvard Business Review, 80, 70 Forehand, 2003, Evolution of the outsourcing, Diamond Harvard Business Review, 28, 170 Gordon, 2002, The economics of information security, ACM Transactions on Information and System Security, 5, 438, 10.1145/581271.581274 Gordon, 2003, Sharing information on computer system security: An economic analysis, Journal of Accounting and Public Policy, 461, 10.1016/j.jaccpubpol.2003.09.001 Grossman, 2002, Integration versus outsourcing in industry equilibrium, The Quarterly Journal of Economics, 117, 85, 10.1162/003355302753399454 Hammer, 1990, Reengineering work: Don’t automate, obliterate, Harvard Business Review, 68, 104 Hammer, 2001 Hammer, 1999, How process enterprise really work, Harvard Business Review, 77, 108 Höne, 2002, Information security policy: What do international information security standards say?, Computers and Security, 21, 402, 10.1016/S0167-4048(02)00504-7 International Organization for Standardization and International Electrotechnical Commission (ISO/IEC), 2000. Information Technology: Code of Practice for Information Security Management. ISO/IEC 17799, Geneva Japan Information Processing Development Corporation (JPDEC), 1992. JIPDEC Risk Analysis Method. JIPDEC, Tokyo Japan Policy Agency (JPA) of the Japanese Government, 2003. Actual Condition Survey of Unauthorized Access Measurement KBSt of German Federal Ministry of Interior, 2003. Standard and Architectures for e-Government Applications Ver.1.1 Kunreuther, 2003, Interdependent security, The Journal of Risk and Uncertainty, 26, 231, 10.1023/A:1024119208153 Matsuura, K., 2003. Information security and economics in computer networks: An interdisciplinary survey and a proposal of integrated optimization of investment. In: The 9th International Conference of Computing in Economics and Finance (CEF 2003) Mercuri, 2003, Analyzing security costs, Communications of the ACM, 46, 15, 10.1145/777313.777327 Ministry of Economy Trade and Industry (METI) of the Japanese Government, 2003. Guideline for formulating Enterprise Architecture Ministry of Science, Technology and Innovation (MSTI) of the Danish Government, 2003. White Paper on Enterprise Architecture National Bureau of Standard (NBS), 1979. Guideline for Automatic Data Processing Risk Analysis. FIPS PUB 65 National Institute of Standards and Technology (NIST), 1995. An Introduction to Computer Security. NIST Handbook, Special Publication, pp. 800–812 NIST, 2001. Risk Management Guide for Information Technology Systems. NIST Handbook, Special Publication, pp. 800–830 Simon, 1996 Stevens, B., 2004. The emerging security economy: An introduction. In: OECD, The Security Economy, pp. 7–16 Soo Hoo, 2001, Tangible ROI through secure software engineering, Secure Business Quarterly, 1, 1 Tanaka, H., Matsuura K., 2003. Institutional design of information security management. In: Network Security Forum 2003, 22–24 October, Tokyo (in Japanese) Varian, H.R., 2002, System reliability and free riding. In: Proceedings of the First Workshop on Economics and Information Security, 16–17 May, University of California, Berkley Wei, H., Frinke, D., Carter, O., Ritter, C., 2001. Cost-benefit analysis for network intrusion detection systems. In: Proceeding of CSI 28th Annual Computer Security Conference, 29–31 October, Washington, DC